The COVID-19 crisis has meant, where possible, employees had to start working from home suddenly. That may continue if the pandemic lengthens, and for organizations trying to save money, it may become permanent.
For some CISOs, that means a lot of scrambling to equip employee’s computers with extra security software and buttress data security.
But infosec pros worried about having control over those working remotely have been warned that doing the basics — the “mundane tasks” — come before buying products. Understanding where critical data assets are and then creating a risk management strategy come first, Jonathan Nguyen-Duy, Fortinet’s global field CISO, told an online conference Thursday.
“Before you think about control, make sure you understand what you have, the nature of its criticality, the risks associated with that and then apply appropriate security controls,” he said.
The biggest mistake he made early in his career, he added, was buying technology first before doing these things.
He was speaking on a panel for CISOs during a week-long series of webinars called siberXchange, run by Richmond Hill, Ont., based siberX, which produces cybersecurity events. The conference ends today with a session about smart cities.
Several of the CISO sessions dealt with the impact of the pandemic on their organizations, and the advice of infosec leaders on how to protect organizations during a time of upheaval. Here are some highlights:
- To get the budget you need, make sure upper management understands the importance of cybersecurity now and supports it, said Olivera Zatezalo, CSO of Huawei Canada. Know what data assets have to be protected, what security controls you have and what are missing. Do a gap analysis using a security maturity framework, then set up governance (security policies) and then implement controls based on those policies. Finally, monitor the environment to ensure controls are effective.
- “As CISOs we are ingrained to be risk-averse, but I think during times like these we have to change to accommodate the people in the organizations.” If a staffer asks to use a new tool but IT is so busy now they won’t get it for a month, say yes as long as it doesn’t expose the organization to risks it’s uncomfortable with, said Shahid Saya, director of cybersecurity at Maple Leaf Sports and Entertainment, which owns the Toronto Maple Leafs and the Toronto Raptors. “As leaders, you have to show empathy. If a staffer asks permission, he added, the CISO has done a good job making staff security-aware.
- Samer Adi, head of IT infrastructure and security at GoodFood Market Corp., a meal delivery service, said he was “very anxious” when staff asked to connect to the corporate network with personal devices. But, he said, “we needed to balance the risk between people sitting at home doing nothing or accept the risk with a personal device so they could work.” So he said yes to these requests, as long as IT could push software updates to devices until staff could be shipped a company-controlled device.
- Michael Ball of Team CISO, who acts as a virtual chief information security officer for small and mid-sized businesses, said with the increase in working from home his service shifted its security awareness program for customers to emphasizing the need to increase home security — everything from changing default passwords for home routers, setting up WiFi guest passwords and using password management software.
- “Speed and agility are replacing perfection,” said Mohsen Azari, senior cybersecurity leader at Walmart Canada. “Rather than doing long projects, we are now doing incremental projects based requirements from customer-facing or internal associates, making sure we deal with those as quickly as possible.” For example, he added a special team to make sure its supply chain worked more efficiently to handle the increase in online purchases. Another was the addition of multi-factor authentication.
- Sherry Rumbolt, a national security information officer at Canada’s Defence Department, said the armed forces haven’t been big on cloud computing for security reasons. Still, she said, the pandemic saw the quick onboarding of 30,000 people to a cloud-based office productivity suite. “We’re not going back to the model we had before,” she said, although the defence department “can only go-to cloud for certain things.”
- CISOs can impose all sorts of “perceived controls” but “the [important] thing about security is consistency”, said Bil Harmer, CISO of identity provider SecureAuth Corp. And, he added, the only consistent thing is the user. And these days identifying the user is key. “This goes beyond 2FA or MFA. We should be in the world of ‘adaptive identification’ – taking telemetry off the device, polling it, understanding what situation the user is in, what risk level does that approach, and then applying the appropriate identification. Because if we keep piling on stuff (security controls) our users will get frustrated and will find ways around it.”